I’m out in Boston for the SOURCE conference where Hoff and I just presented on Disruptive Innovation and the Future of Security. It went well, but we’re only giving ourselves a 6 out of 10. We tried to stuff in too much content and didn’t focus as much as we should. We’ve already mapped out the next version and I wish we were giving it before June (our next scheduled show).
One thing I noticed during our discussion of my section on the Information-Centric Security Lifecycle is that we’ve failed to talk about data governance. Since, thanks to Chris, I’ve become convinced that information is data with value, we’ll skip data governance and jump right into information governance.
Consistent with my last short post, here are a few points on principles for information governance:
- The business, not IT or security, must determine the relative value of information.
- Information classification must represent the value of the information.
- Business and technical policies and controls must align with the information value/classification.
- Information governance must be consistent, practical, and auditable.
- The Board of Directors and executives are responsible and accountable for information governance, which is then implemented by business units (including IT).
- Information governance should not be so detailed it can’t account for new information or accurately reflect the reality of a business in motion.
These aren’t quite as thought out as the Principles of Information-Centric Security, but I think they are a fairly reasonable place to start the discussion. Also keep in mind that I’m not talking about in-depth, impractical classification of every piece of data in an organization. This is about broad strokes to guide users in understanding what information has value over other information, and how that information should then be handled.
You’ll also notice I didn’t mention security. Not once. Security is only one tool in the governance kit.